The hacker who accessed encrypted data from Apple's developer center website says he found and reported 13 bugs to the company, but that he has no intention of accessing or using the encrypted user data he obtained in seeing "how deep" he could go.

In a comment made on TechCrunch, Ibrahim Balic identified himself as a "security researcher" who attempted to point out serious issues to Apple about its Dev Center website. His comments came in response to an admission by Apple on Sunday that its developer website was hacked.

Sensitive personal information included on the registered developers website was encrypted, and Apple does not believe the information can be accessed. But Balic suggested he has been able to obtain some user details as evidence to Apple of an apparent security flaw.

Balic said he found a total of 13 bugs on Apple's site, one of which provided him with access to user information. He claims to have taken 73 user details ? all of whom are Apple employees ? and given them to the company as an example.

But 4 hours after he gave that user data to Apple, the company shut down its Dev Center website. The outage began last Thursday and has remained ever since, while Apple has worked "around the clock" in an effort to patch the apparent security issues.

Balic's public comments are apparently in an effort to clear his name, as he said he's "not feeling very happy" about how the situation has been portrayed. He also said he's concerned about potential legal action against him.

"I did not done this research to harm or damage," he wrote in his comment. "I didn't attempt to publish or have not shared this situation with anybody else. My aim was to report bugs and collect the datas for the porpoise (sic) of seeing how deep I can go within this scope."

The supposed researcher claims that he has obtained more than 100,000 encrypted user details by exploiting bugs on Apple's Dev Center website. In an a video he posted to YouTube, Balic shows a handful of names and email addresses found in raw data allegedly taken from the Dev Center.

"I will be deleting all the datas I have, only got these datas to see just how deep I can go," the video reads. "Also have informed Apple before taking these datas."

I was just jiggling the front door knob. When I found it open, I went inside the house to see if the owners had left anything valuable sitting around. Seeing that they did, I stuck some of it in my bag to prove to them how bad it could have been... but I was never going to to anything "wrong", I promise.

If he's a security researcher and not a hacker, why is he revealing real developers names and other info in a YouTube video? Seems best suited for a white paper or essay no?

Seems to me that he is an "amateur" security research at best in that he doesn't seem to know the rules, and judging by his statement has severe communication difficulties (ESL?) to boot. Sort of like an idiot child burglar who sets off an alarm and when caught tells you that he had no intention to steal, just to see if he could get in. Even if it's true, he's still an idiot.

1) If he could do it, and it's true that Apple didn't do anything until he wrote them about it, then others could also already have obtained such info.

2) Since the website went down, developers are reporting phishing emails pretending to be Apple asking for account confirmations. Beware. Give out no info to such emails.

3) Apple may catch some grief for definitions like "some accounts" ("some" = 100,000+ ) ... "transparency" (waiting over three days to say anything) ... and no "sensitive personal information" was taken (apparently email addresses are not considered sensitive).

Companies and governments are deadly serious about this kind of stuff these days. If he were a real professional he would have known this. Perhaps he was hoping to get hired by Apple because of this? Nope.

The problem is he will be made out to be some kind of hero by a) the hater crowd, b) the wikileaks weirdos, c) C|net, d) MacRumors. And every nerd sitting their parent's basement will now be trying to attack Apple's sites. Oh wait, they already do that all the time.

One cannot rob a bank to expose weaknesses, return the money, and claim one intended no harm. A crime is a crime. I'm not saying what this researcher did actually broke any laws, but unauthorized access to a computer system is illegal in a lot of places.

Apple is horrible at responding to weakness emails. They seem to only fix bugs when they are already exploited. This guy is like Snowden, in a way.

so i guess hackers can do anything if they just say they are security researchers he had no authority to be there so he should not have been there. Do not tamper with other peoples stuff unless authorized is the first rule for security research.

First off, call it semantics if you like but he is a hacker. He might see himself as a 'white hat' but he is a hacker.

Second, we have only his word that his version of the story is true. It's possible it is false and he is spreading this story because he fears Apple figured out who did it and he wants to paint himself a hero etc so Apple will be less likely to press charges. Trouble is that he did this 'research' without Apple's approval so he put himself at risk of many laws. If he's in the US he could find himself the next Aaron Schwartz in the eyes of the Federal prosecutors. And while them going after Schwartz as a hacker is debatable its not in this same.

Third, the phishing emails are timed to well not to be connected. And the YouTube video with real folks info not cool

I don't buy that he's related to the phishing e-mails. I've received Apple phishing e-mails before. I'll bet that all the other scammers see this as a great opportunity to catch some people off guard as many would be worried.

so i guess hackers can do anything if they just say they are security researchers he had no authority to be there so he should not have been there. Do not tamper with other peoples stuff unless authorized is the first rule for security research.

He should have reported the first issue and stopped. Seeing how deep he could go is hacker mentality. I see an arrest in his future. This has not been a small impact to Apple or the developers.

so i guess hackers can do anything if they just say they are security researchers he had no authority to be there so he should not have been there. Do not tamper with other peoples stuff unless authorized is the first rule for security research.

If you check his email it looks like he's just moonlighting cause doing online market research and advertising isn't going so well

Most of your responses are typical responses that I would expect from Apple the company.
Don't thank the guy for exploiting all these security holes. Vilify him! Should he have posted the youtube video before going straight to Apple? probably not. But, God forbid someone with actual evil intent stole all the user data and did something worse with it.

This is eerily similar to the guy a while back that snuck in malware to the app store to prove it could be done and had his developer license revoked. At this point, why would anyone WANT to help Apple avoid their security blunders?

According to the hacker news website below, the reason he went public was because of the way Apple worded their notice that "... an intruder attempted to secure personal information ..."

Apparently he would've preferred if Apple had said something more like, "we were alerted of a possible vulnerability", since he purposely told them about it without having any nefarious intentions.

Quote:

"A UK based security researcher, Ibrahim Balic claims that he reported 13 Vulnerabilities in Apple system, highlighting a hole that could left data from the Developer Center exposed.

For proof of concept, he demonstrated the hack on his own 73 employees while reporting to Apple security team. Though he admits that he was able to hack more than 100,000 users, but he did not hack the system for malicious purposes.

Security researcher is not happy with Apple's Statement, that cited an attempted security breach as the reason for the developer site outage."

All you misinformed and self-righteous people need to understand what he did is and will always be accepted by the computer science and cryptography community as ethical and legal. There is such a thing as whitehat hacking, where someone does penetration testing on a company/website to see how vulnerable it is against real, malicious hackers. If he had simply hacked the Dev website without taking any proof of sensitive information, then Apple would have most likely down-played this situation as some minor breach with no loss of sensitive material. As for all of you calling for him to be sued, you are what's wrong with America today.

I wish people would stop trying to shoot the messenger. In all probability if he were malevolent, we would hear nothing from him. There are always phishing attacks directed at Apple developers which should universally fail. On the other hand this event should allow the minions to do all the things they've wanted and needed to do to improve security.

In any case note that unlike other breaches all sensitive information was encrypted (according to Apple) so it seems this would only help enable phishing attacks which are already prevalent. Except for Apple developers this is just a PR issue. Of course since billions go to developers it is newsworthy but we will see how effective Apple's security has been and how agile the response is.

All you misinformed and self-righteous people need to understand what he did is and will always be accepted by the computer science and cryptography community as ethical and legal. There is such a thing as whitehat hacking, where someone does penetration testing on a company/website to see how vulnerable it is against real, malicious hackers. If he had simply hacked the Dev website without taking any proof of sensitive information, then Apple would have most likely down-played this situation as some minor breach with no loss of sensitive material. As for all of you calling for him to be sued, you are what's wrong with America today.

Being considered ethical by a small subset of the population does not make an action ethical and it certainly does not have any effect on its legality. The simple fact is that he broke into a private security system without authorization, and should therefore be punished regardless of his intent.

If I find a burglar in my house, I'm going to shoot him. There is no question of intent; he has crossed the line in invading my personal space.

OK but these are all just his claims at this point, right? Has Apple confirmed any of this?

It's doubtful that Apple will ever confirm much, especially since that would only highlight that it's possible that many such intrusions could have taken place without being noticed.

That is, if he was able to inject SQL or OGNL into a web request and get this info, others will have tried and succeeded as well.

So Apple will want to simply put this behind them as soon as possible.

--

As to how it's possible in the first, place, well every major corporation runs third party testing software these days just to look for stuff like this. If you find a problem, you have to fix it or get a security waiver.

Part of the problem is that IT groups tend to install updates rather slowly, because they have to test so many related applications. Plus, you never know what new vulnerabilities the update has.

It's like, damned if you do, and damned if you don't.

Therefore website frameworks can easily be a year or more out of date, and it takes something like this to push everyone into action. It's also why it takes so long to fix. Everything has to be tested, and that can normally take weeks in the best case. Here, they have to accelerate that process.

Been there, done that. I am sympathetic towards the pain that Apple's IT group is going through right now.